tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/fsck_untrusted.te
Jeff Vander Stoep 7ef80731f2 audit domain_deprecated perms for removal 
Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-10 07:42:55 -07:00

38 lines
1.1 KiB
Text
Raw Blame History

# Any fsck program run on untrusted block devices
type fsck_untrusted, domain, domain_deprecated;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck_untrusted vold:fd use;
allow fsck_untrusted vold:fifo_file { read write getattr };
# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
r_dir_file(fsck_untrusted, proc)
###
### neverallow rules
###
# Untrusted fsck should never be run on block devices holding sensitive data
neverallow fsck_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
Reference in a new issue View git blame Copy permalink